JWF edit: More about this now on the Fedora Magazine: (correction to the Fedora Magazine article: testing updates are not opt in in F40 but enabled by default because it is a pre-release; see update 2 below) The xz package that has already entered the current F40 pre-release versions/variants and rawhide contains malicious code. This does NOT affect users of the Fedora releases (F38, F39 are thus not affected), but all users who use already F40 pre-release versions/variants or rawhide shal...
Perhaps it was a poorly worded way of suggesting that invalidating host keys would invalidate all client keys it could potentially generate? Either way it’s a lot of speculation.
Resetting the keys and SSH config on any potentially compromised host is probably not a terrible idea
Perhaps it was a poorly worded way of suggesting that invalidating host keys would invalidate all client keys it could potentially generate? Either way it’s a lot of speculation.
Resetting the keys and SSH config on any potentially compromised host is probably not a terrible idea